Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Linux: extracting a symlink with ACLs modifies ACLs of target #1565

Closed
mmatuska opened this issue Aug 21, 2021 · 3 comments
Closed

Comments

@mmatuska
Copy link
Member

mmatuska commented Aug 21, 2021

When an archive entry contains a symbolic link that has defined ACLs on Linux, on extraction the ACLs of the link target are modified. This is because the function acl_set_file() is used without a prior check if the file is not a symbolic link.

FreeBSD and MacOS use acl_set_link_np() that does not follow symbolic links.

@ret2libc
Copy link

ret2libc commented Dec 1, 2021

Can Red Hat assign a CVE for this security issue? Or was it already requested to MITRE?

dongsupark added a commit to flatcar-archive/portage-stable that referenced this issue Dec 9, 2021
Update app-arch/libarchive to 3.5.2, to mainly address security issues
like libarchive/libarchive#1565,
libarchive/libarchive#1566.
@ret2libc
Copy link

ping @mmatuska

@carnil
Copy link

carnil commented Dec 17, 2021

Looks CVE-2021-23177 was assigned for this issue.

antekone pushed a commit to antekone/libarchive that referenced this issue Feb 6, 2022
On Linux ACLs on symbolic links are not supported.
We must avoid calling acl_set_file() on symbolic links as their
targets are modified instead.

While here, do not try to set default ACLs on non-directories.

Fixes libarchive#1565
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants